[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Dangerous cgi-script



claes@canit.se (Claes Bjorklund) writes:
>Is this this cgi script dangerous? the idea with the script to let the
>www-user do simple mathematics, but I am affraid they can do some thing
>dangerous, is there any differnts with Unix or Mac?
>
>$math = $FORM{'calc'};
>$res=eval "$math";
>[...]

This script is very dangerous indeed. Think of what happens if some user
decides that "unlink" is a mathematical operator! The solution for this is to
eith use the Safe module (but I have never really tried that on MacPerl) or to
do a sanity check on $math before evaluating it. (Forbidding more than 3
successive alphabetic characters, for instance, allows sin and cos while
forbidding most (all?) dangerous operators).

Matthias

-----
Matthias Neeracher   <neeri@iis.ee.ethz.ch>   http://www.iis.ee.ethz.ch/~neeri
   "I'm set free to find a new illusion" -- Velvet Underground

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch